Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2018-15761: UAA Privilege Escalation

CVE-2018-15761: UAA Privilege Escalation

Severity

Critical

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • You are using uaa-release versions prior to v64.0
  • You are using uaa versions prior to 4.23.0

Description

Cloud Foundry UAA, release versions prior to v64.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes to escalate their privileges.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • uaa-release versions v64.0
    • uaa version 4.23.0

Credit

This issue was responsibly reported by the UAA team.

History

2018-11-01: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES